Finished overhauling myhometheaterpc.com

[IVB]

Maybe its just the fact that I live in the southern hospilaty state of FL, but its not often that I see anyone actually war driving and trying to hack into a network around my house. If someone wanted to hack my network it would be because they were specifically targeting me. If they simply want a internet connection, its just as easy to drive over to StarBucks or the local hotel parking lot where there is open access points and no restrictions. I am not saying that I dont have any protection on my network and dont care about it, but its rare that you are going to find the rouge wireless hackers parking in your driveway while you are not home trying to hack into your system. Maybe its just because im in the redneck riviera and there are so many people who dont even understand wireless networking at all.

Actually, this is the EXACT opposite situation in the SF Bay Area. It's a much higher density of housing here than in FL, not a hospitality thing, i'm sure there's criminals in Miami too but this may not be high enough ROI for them. Oakland PD, Richmond PD, and SFPD have all issued warnings lately of drivers in station wagons and/or vans driving around slowly with multiple laptops and long antennas clearly looking for networks.

Furthermore, there was proof that they were looking to hack (had hacked?) into WEP-secured networks, and me/HOA led a charge to educate folks on WPA vs WEP, and getting folks to switch to WPA.

 

[drvnbysound]

that would be the least of the worries - once they're on your LAN anything is fair game - keyloggers, malware, id theft, backdoors, data corruption, etc. they are more likely to come through your open ports than via your wireless lan - buffer overflows on your web server to gain admin access, etc etc

How easy is it for someone to hack an Apache webserver and get through a firewall (if not multiple, i.e. Windows, router, Norton)?

if apache is on your LAN, they don't need to get through your firewall. you've already opened a door for them. there may be no known vulnerability in apache that can lead to a problem...it just hasn't been found yet or may be introduced in a future version. (
some apache vulnerabilities: http://httpd.apache.org/security_report.html )

Im certainly not a hacker so I wouldnt know. Im sure it probably possible.

Assuming it is indeed tough to do (as it should be) and taking it a step further, what are the odds that a hacker is going to pick your puny site/domain to attempt to hack?

Example: After seeing IVBs site, would a hacker actually attempt to hack his server over something more worthwhile like an ecommerce site that may actually net account information from many people?

these attacks are all automated by scripts. they are looking for particular software installed on servers that have easily exploitable vulnerabilities. they don't care where the server is or what's on it. they are scanning blocks of ip addresses and can cover thousands of ips in minutes. there are probably botnets set up to do just that. my web server gets several dozen probes a day. i have gotten probes looking for joomla on my server, so yes, IVB's site may be of interest to someone somewhere ( http://www.google.com/search?q=joomla+vulnerabilities )

Is it even possible to "know" if a particular site is hosted on a server farm in a California based web hosting company, or my home's personal computer? I assume this is transparent, but again I have no idea.

it's trivial to script up a whois on an ip address to get an idea of what's on the other end - corporate, home user, etc. ISPs dole out IP addresses from known ranges. (see also http://www.google.com/search?q=ip+geolocation )

I apparently wasnt thinking clearly when I made the statement about the firewall - doh!

I also hadnt really thought much about having automated scripts to scan as you talked about. I suppose its really up to the vulnerabilities of Apache or whatever webserver you run. I ASSUME, since Apache is open source (I think thats a correct statement) and written by developers and upgraded pretty regularly, they likely stay on top of this as best as they can.

I've paid for server space for some time, but re-evaluated this past year (after it was automatically renewed) and figure I will likely discontinue doing so approx. a year from now. My site is not used / viewed, etc. and there is no reason I want to continue paying $60 / yr ($40 for the 500MB of space, $9.99 for domain name, and $10.99 for registry privacy) for it.

 

[damage]

I also hadnt really thought much about having automated scripts to scan as you talked about. I suppose its really up to the vulnerabilities of Apache or whatever webserver you run. I ASSUME, since Apache is open source (I think thats a correct statement) and written by developers and upgraded pretty regularly, they likely stay on top of this as best as they can.

I've paid for server space for some time, but re-evaluated this past year (after it was automatically renewed) and figure I will likely discontinue doing so approx. a year from now. My site is not used / viewed, etc. and there is no reason I want to continue paying $60 / yr ($40 for the 500MB of space, $9.99 for domain name, and $10.99 for registry privacy) for it.

open source also means the bad guys have access to the source as well. also the devs may fix the bugs but that also assumes you know about them and are regularly patching.

nothing wrong w/ DIY as long as you take steps to minimize your risk.